Re: Login PAM interaction suspect

From: Thorsten Kukuk <kukuk suse de>

To: Pluggable Authentication Modules <pam-list redhat com>

Subject: Re: Login PAM interaction suspect

Date: Thu, 17 Nov 2011 09:38:19 +0100

On Wed, Nov 16, David Mitton wrote:
> Quoting Nicolas François <nekral lists gmail com>:
>
>> Hello,
>>
>> On Wed, Nov 16, 2011 at 10:38:55AM -0500, David Mitton wrote:
>>>
>>> This was discussed in some other forum (which I lost my breadcrumbs to).
>>> It's moot to me, as I currently don't plan on changing that value.
>>> But login should not assume that getpwnam(PAM_USER) will work until
>>> committed with a setcred.
>>
>> OK. I see your point and getpwnam() should be delayed as much as possible.
>>
>> However, login is required to setuid(<UID>) / setgid(<GID>) before
>> setcred, and <UID> or <GID> can only be found using getpwnam(PAM_USER).
>
> Why would that be?
Because else pam_setcred cannot modify them and calling them
afterwards would invalidate all changes pam_setcred() is doing.
> and where is it written?
Did you ever read the manual page about pam_setcred()?
"Such credentials should be established,
by the application, prior to a call to this function. For example,
initgroups(2) (or equivalent) should have been performed."
Thorsten
--
Thorsten Kukuk, Project Manager/Release Manager SLES
SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nuernberg
GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg)